Security Trimming
The Telerik UI PanelBar has a built-in security trimming functionality which is enabled by default.
If the URL to which the PanelBar item points is not authorized, the item is hidden.
Security trimming depends on the ASP.NET MVC Authorization. Every action
method which is decorated with AuthorizeAttribute
checks whether the user is authorized and allows or forbids the request. For more information, refer to the article on ASP.NET MVC Authorization.
The PanelBar hides an item if the OnAuthorization
method returns
HttpUnauthorizedResult
.
For more information on using a custom AuthorizeAttribute
, refer to this article.
Known Limitations
The Security Trimming functionality of the component is supported when using Items Binding or SiteMap Binding and the path for an item is provided via the Action()
overloads that accept a Controller
name, Action
name and/or RouteValueDictionary
as parameters. The functionality is not supported when using Ajax binding and defining a DataUrlField.
The example below demonstrates how to configure the PanelBar component and its items, so the Security Trimming functionality works as expected:
@(Html.Kendo().PanelBar()
.Name("panelBar")
.SecurityTrimming(true)
.Items(data =>
{
data.Add().Text("About").Action("About", "Home"); // item will be visible as endpoint is accessible.
data.Add().Text("Info").LoadContentFrom("Info", "Home"); // item will be visible as content endpoint is accessible.
data.Add().Text("Details").Action("Details", "Home"); // item will be hidden for non-authorized users.
data.Add().Text("Important Details").LoadContentFrom("ImportantDetails", "Home"); // item will be hidden for non-authorized users as access to content endpoint is restricted.
data.Add().Text("Details as url").Url("~/Home/Details"); // unsupported scenario - item won't be trimmed, even though endpoint is inaccessible.
data.Add().Text("Important Details as url").LoadContentFrom("~/Home/ImportantDetails"); // unsupported scenario - item won't be trimmed, even though content endpoint is inaccessible.
})
)
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult About()
{
return View();
}
public ActionResult Info()
{
return PartialView();
}
[Authorize]
public ActionResult Details()
{
return new HttpUnauthorizedResult("Denied");
}
[Authorize]
public ActionResult ImportantDetails()
{
return PartialView();
}
}